Re: OpenSSL Update - not a security update???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 03/02/2016 05:24 AM, Anthony K wrote:
> On Tue, 2016-03-01 at 21:58 -0600, Johnny Hughes wrote:
>> On 03/01/2016 09:41 PM, Johnny Hughes wrote:
>>> BUt the security plugins do not work for CentOS and they never have,
>>> Peter is correct, you need to run yum update or call out the specific
>>> packages you want updated.
>>>
> 
> I totally understand the necessity of a full system update.  However, this begs
> the question "Why code an option into yum that is of no use?"  Was there a time
> when this option was functional?  If yes, what caused its removal?  Was it a
> system compromise at some big corporation and someone got sued/fired?  What? 
>  Don't spare any gory details either!
> 
> 
> ak.

It would require 2 things that we currently don't do.

1.  Host all the RPMs every built in one place that every update can hit.

2.  An errata.xml file that contains information that is NOT open source
and not allowed to be gathered by CentOS.  (Although James Hogarth
provided a link to one elsewhere in this thread)

First for #1:

We utilize several hundred servers and free bandwidth that they provide
that are donated to the CentOS Project to distribute updates.  This
'donated network' makes up the DNS names mirror.centos.org,
msync.centos.org,  and cloud.centos.org, etc.  We use this network to
distribute CentOS Linux to more than 630 servers (external mirrors) in
85 countries all over the world.

We could not provide CentOS for free for the last 13 years if we did not
have both the hundreds of donated machines that make up
mirror.centos.org (and msync.centos.org) OR those external mirrors.

The vast majority of our donated mirror network servers do not have room
to host all the RPMs from all active centos versions in one place and to
distribute them to the vast external server network.

We can't afford to replace the hundreds of donated (free) servers with
ones that CAN host that amount of data AND also pay for enough bandwidth
to distribute it to the external mirrors.  Even if we could, not all the
current 635 mirrors would be able to take all that data.

This is one of many reasons why there is a subscription price for RHEL.

Even if we DID all of that. Other than returning a cou0ple of updates
with the yum security plugin command, you STILL need to run 'yum update'
to get all the updates as JUST doing the security ones is not supported
/ does not necessarily fix the security issues.

Then there is #2:

The information that goes INTO the XML file we would need to generate
does not come from the source code from Red Hat Enterprise Linux that we
use to build CentOS Linux.  It would only from screen scraping places like:

https://rhn.redhat.com/errata/rhel-server-7-errata.html

BUT, if you go to the 'terms of use' for Red Hat portals .. here:

https://access.redhat.com/help/terms/

You will see the definition of "Red Hat Content".  While we CAN
distribute the software we build (it is open source) .. we *CAN NOT*
scrape and/or Distribute content that is *NOT* open source but us
copyrighted intellectual property.

To the best of our knowledge, the information needed to make up all the
information needed to create the Errata XML file requires to make the
yum security plugin work is not available in a complete open source way
where we would be able to be distributed.

That is *WHY* the CentOS team does not copy and distribute any content
into our announcements, but only links to open content in our announcements.

So, we can not distribute the information that is required in the XML
file that would make the yum security plugin work .. *BUT* even if we
could, you *STILL* need to run 'yum update' to get all the updates as
JUST doing the security ones is not supported / does not necessarily fix
the security issues.

Hopefully this makes sense.

You can instead just look at this:

https://lists.centos.org/pipermail/centos-announce/

(or subscribe to the CentOS announce mailing list to get emails)

Both of those places will tell you when there is a security update.

OR, you can subscribe to RHEL and use the information in the yum
security plugin.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux